Sponsored by..

Showing posts with label Microsoft. Show all posts
Showing posts with label Microsoft. Show all posts

Friday, 29 May 2009

Bing.com is coming. W00t!

Microsoft is launching a new search engine called bing.com on Monday. Given the current fashion for "reboots" in movies and TV shows, bing.com can be considered a reboot of live.com which is turn was a reboot of MSN Search, and it follows in the great traditions of Google Killers such as.. errr... Cuil.

Microsoft say:
We took a new approach to go beyond search to build what we call a decision engine. With a powerful set of intuitive tools on top of a world class search service, Bing will help you make smarter, faster decisions. We included features that deliver the best results, presented in a more organized way to simplify key tasks and help you make important decisions faster.

And features like cashback, where we actually give you money back on great products, and Price Predictor, which actually tells you when to buy an airline ticket in order to help get you the best price — help you make smarter decisions, and put money back in your pocket.
I say:
Microsoft have never been any good at search, and it's hard to see how this will beat Google when all people want to do is find stuff and move on. Heck, even Google struggles to get people to use more than search - according to Alexa, 90% of Google traffic is for search, image search and mail. If people really wanted more, they would probably use it.

Anyway, we fixed Bing's logo for them.

According the the Internet Archive, the bing.com domain already has a substantial history of fail. Including a bizarre scheme to turn email messages into snail mail post. Hmmmm.

Wednesday, 14 January 2009

MS09-001 prognosis. Install it now? Leave it for later?

It's patch Tuesday again, with just a single update from Microsoft: MS09-001.

If you are administering a corporate network, then the question that you probably ask yourself each week is "do I need to patch my servers"?

The prognosis for this one seems to be.. "maybe". Microsoft's own bulletin summary gives MS09-001 an exploitability index of "3 - Functioning exploit code unlikely". But the flaw itself is rated "Critical" and could lead to remote code execution.. so there is a low probability of a very serious exploit.

It turns out that it is much more likely that an attempted attack using MS09-001 would blue screen the target system - and that is more likely to be a worry, especially on delicate servers. The Microsoft Security blog has a good writeup and recommends the following priorities:

In terms of prioritizing the deployment of this update, we recommend updating SMB servers and Domain Controllers immediately since a system DoS would have a high impact. Other configurations should be assessed based on the role of the machine. For example, non-critical workstations could be considered lower priority assuming a system DoS is an acceptable risk. Systems with SMB blocked at the host firewall could also be updated more slowly.

Some further reading gives mixed signals: Sophos labels this as a medium threat, SC Magazine reports differing opinions, ZDnet also mentions the denial of service risk, ISC rates it as "Critical" but not "Patch now".

Given that it doesn't take long for the bad guys to implement an exploit for these flaws, and the recent well-publicised spread of the Downadup / Conficker worm then perhaps Microsoft's advice is very pertinent - start by protecting those systems that would suffer the most if they crashed, but there is perhaps not the urgency of the MS08-067 patch that came late last year.

Tuesday, 16 December 2008

MS08-078: Out-of-band patch for IE coming

Microsoft are issuing an out-of-band patch tomorrow (17th December) for the well-publicised flaw in Internet Explorer. This is another one of those "patch now" things - see here for more details.

"IE 7 users: stop looking at porn now!"

This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..

Wednesday, 10 December 2008

Vulnerability in WordPad Text Converter Could Allow Remote Code Execution

Most people will rarely use WordPad these days, but it's installed on pretty much every Windows system out there. So when Microsoft announce a vulnerability in WordPad, it could spell trouble.. essentially, a specially-crafted WordPad file could run arbitrary code on your system.

WordPad documents have a .DOC or .WRI extension, and if you have Word installed (or a similar product) then .DOC files will default to loading in Word instead. So, to mitigate against this you could simply block .WRI files at your proxy and/or mail filter. Or you could use Windows XP SP3 or Vista.. but that's not exactly a quick fix. Or you could deassociate .WRI files from WordPad using a policy.

There aren't a lot of WRI files to test with on the web, so here's a harmless file I prepared earlier:

Tuesday, 18 November 2008

Microsoft Morro: free anti-virus software for consumers

This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.

Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.

I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..

Thursday, 23 October 2008


Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Let's make it simple: PATCH NOW. Microsoft's say that this can spread from machine to machine without authentication, and reliable exploit code is likely. This makes it the ideal security flaw to hook a worm onto, like Blaster or Sasser.

If you're a corporate user with a firewall DO NOT imagine that the firewall will offer you much in the way of protection. Eventually either a worm-infected laptop will be plugged into your internal network, or possibly a infected machine may breach the firewall when it connects through the VPN. If there is a widespread outbreak and you're not prepared, then shutting off your VPN may buy you some time.

Wednesday, 25 June 2008

Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,

Wednesday, 11 July 2007

MS07-039 clarification

Yesterday was Patch Tuesday, and amongst the usual load of vulnerabilities was MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122) - however in this case Microsoft are a little vague about exactly which servers are impacted, referring only to "Active Directory Servers".

Well, what are Active Directory Servers? If you're running an AD environment then all servers are members servers of Active Directory. Does these mean that all servers needs patching, or is it restricted to Domain Controller (DC) and Global Catalog (GC) servers only? Patching DCs and GCs isn't too big a deal.. patching all servers for MS07-039 would be a nightmare.

One the clue is in Knowledgebase article 926122 which explains that this really is limited to servers performing the DC/GC role:

A hotfix was created to work around a problem in which the domain controller has to be restarted to let users renew their certificates. However, this hotfix let any user renew a certificate. This security update includes a hotfix to modify this behavior. After you install this security update, authentication is required for certificate renewal.

After you install this security update, only domain administrators and network administrators can renew certificates. Also, an administrator cannot delegate the right to renew certificates.

For such a critical vulnerability, Microsoft's wording is particularly vague. It does seem that it doesn't apply to member servers, but just to Domain Controllers (including Global Catalog servers, FSMO servers etc). These are critical servers, so you should patch them soon before the bad guys get to them.

Wednesday, 9 May 2007

Patch Tuesday

A number of nasty looking vulnerabilities. These are my takes on the seriousness of these flaws, you should evaluate them against your own organisation.

MS07-026 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
A series of flaws in Microsoft Exchange 2003 and 2007, the most serious of which is a MIME decoding flaw which can allow a remote attacker to take complete control of the system through a specially crafted email message. This is an extremely serious problem because most corporate firewalls will not offer any protection against messages of this type. There are no known current exploits, but these usually come about very quickly after the vulnerability is announced.
Client impact: low
Server impact: high

MS07-029 Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)
A critical flaw in the DNS server service can allow a remote attacker to take complete control of a system. This is clearly a significant threat to any servers running the DNS service role and will patching as soon as possible. This is being actively exploited at the moment. Corporate firewalls will mitigate against this somewhat, until an infected machine enters your network.
Client impact: low
Server impact: high

MS07-023 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
A depressingly familiar flaw in MS Office impacting Excel 2000, 2002, 2003 and 2007 and even Excel 2004 for the Mac. WSUS or some other patching method should be used to roll these out to client workstations. Safe server practices should mean that this is not so important for corporate servers.
Client impact: high
Server impact: low

MS07-024 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
Another Office flaw, this time for Word 2000, 2002 and 2003 plus Microsoft Works 2004, 2005 and 2006 - but not Word 2007. This is being actively exploited and should be authorised for rollout as soon as possible.. Office 2000 installations will require manual remediation.
Client impact: high
Server impact: low

MS07-025 Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
A vulnerability in the way Office handles drawing objects can be exploited by a specially crafted Office document (e.g. attached to an email) or an object embedded in a web site. This affects Office 2000, 2002, 2003 and 2007 and also Office 2004 for the Mac - primarily the Excel, Publisher and FrontPage components. It also impacts Excel Viewer 2003. This should be authorised for rollout to clients as soon as possible. Office 2000 will require manual remediation.
Client impact: high
Server impact: low

MS07-027 Cumulative Security Update for Internet Explorer (931768)
Various flaws in IE6 and IE7 on Windows 2000, XP, 2003 and Vista. Safe practice on servers should mitigate against this (i.e. restrict use of IE to Windows Update only). Some of these flaws are being actively exploited, so patch as soon as possible.
Client impact: high
Server impact: low

MS07-028 Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
Well, obviously high if you use this product, else few people will be at risk.
Client impact: low
Server impact: low

Wednesday, 28 March 2007

"The system is not fully installed": Windows XP, WMP 11 and Sysprep

Kudos to lizardking009 for this post at the 2cpu.com forums.

After using Sysprep to prepare a new Windows XP build for distribution to some Dell laptops, I got the a message saying The system is not fully installed when trying to restart the machine.

It turns out that this is due to the presence of Windows Media Player 11 which screws up the Sysprep process somehow. I can't say that I'm a big fan of this DRM-laded stuff, but generally speaking you always load the latest version of everything before resealing the machine to take an image from it.

Microsoft have this knowledgebase article showing how to recover from the problem, although I discovered that this does not work very well on machines that have already been built from a Sysprep (such as Dells). If you're working in a reasonably well equipped environment with another XP machine and a suitable external USB drive enclosure then it's probably easier to edit the registry on the affected PC's hard disk by plugging it into the USB port of another machine, i.e.:

  • Load REGEDIT
  • Select HKEY_USERS
  • Go into File.. Load Hive..
  • Browse to the \WINDOWS\System32\Config\System file on the USB connected drive
  • Name the hive "system" or whatever you like
  • Find the Setup key on the newly loaded hive and locate SystemSetupInProgress.
  • Change the data from 1 to 0.
  • Unload the Hive
Then, once the hard disk is reinserted into the original machine, bring it up in Safe Mode, deinstall Windows Media Player 11 and reboot. This should start the setup process (you can choose to take an image at this point, if you wish).